diff options
| author | Alexandru Munteanu <[email protected]> | 2016-10-28 04:45:01 +0200 |
|---|---|---|
| committer | Loïc Hoguin <[email protected]> | 2016-11-01 23:10:07 +0200 |
| commit | 4d487ac60c3a4962a8280acfcf265b2523b2d76e (patch) | |
| tree | 2b0ec6f47aa0afe4cb56e56302aeff80eb451a94 | |
| parent | eafd62e47eae2bb85b5863440a50cbf346ab05e2 (diff) | |
| download | ranch-4d487ac60c3a4962a8280acfcf265b2523b2d76e.tar.gz ranch-4d487ac60c3a4962a8280acfcf265b2523b2d76e.tar.bz2 ranch-4d487ac60c3a4962a8280acfcf265b2523b2d76e.zip | |
Add SSL options for legacy software interoperability
| -rw-r--r-- | doc/src/manual/ranch_ssl.asciidoc | 9 | ||||
| -rw-r--r-- | src/ranch_ssl.erl | 15 |
2 files changed, 18 insertions, 6 deletions
diff --git a/doc/src/manual/ranch_ssl.asciidoc b/doc/src/manual/ranch_ssl.asciidoc index 07b835a..b809ec1 100644 --- a/doc/src/manual/ranch_ssl.asciidoc +++ b/doc/src/manual/ranch_ssl.asciidoc @@ -15,6 +15,7 @@ The `ranch_ssl` module implements an SSL Ranch transport. [source,erlang] ---- ssl_opt() = {alpn_preferred_protocols, [binary()]} + | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, string()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} @@ -33,6 +34,7 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]} | {keyfile, string()} | {log_alert, boolean()} | {next_protocols_advertised, [binary()]} + | {padding_check, boolean()} | {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)} | {password, string()} | {psk_identity, string()} @@ -43,6 +45,7 @@ ssl_opt() = {alpn_preferred_protocols, [binary()]} | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} + | {v2_hello_compatible, boolean()} | {verify, ssl:verify_type()} | {verify_fun, {fun(), any()}} | {versions, [atom()]}. @@ -67,6 +70,8 @@ The default value is given next to the option name. alpn_preferred_protocols:: Perform Application-Layer Protocol Negotiation with the given list of preferred protocols. +beast_mitigation:: + Change the BEAST mitigation strategy for SSL-3.0 and TLS-1.0 to interoperate with legacy software. cacertfile:: Path to PEM encoded trusted certificates file used to verify peer certificates. cacerts:: @@ -105,6 +110,8 @@ next_protocols_advertised:: List of protocols to send to the client if it supports the Next Protocol extension. nodelay (true):: Whether to enable TCP_NODELAY. +padding_check:: + Allow disabling the block cipher padding check for TLS-1.0 to be able to interoperate with legacy software. partial_chain:: Claim an intermediate CA in the chain as trusted. password:: @@ -125,6 +132,8 @@ sni_hosts:: Options to apply for the host that matches what the client requested with Server Name Indication. user_lookup_fun:: Function called to determine the shared secret when using PSK, or provide parameters when using SRP. +v2_hello_compatible:: + Accept clients that send hello messages in SSL-2.0 format while offering supported SSL/TLS versions. verify (verify_none):: Use `verify_peer` to request a certificate from the client. verify_fun:: diff --git a/src/ranch_ssl.erl b/src/ranch_ssl.erl index 8fe09dc..913761d 100644 --- a/src/ranch_ssl.erl +++ b/src/ranch_ssl.erl @@ -37,6 +37,7 @@ -export([close/1]). -type ssl_opt() :: {alpn_preferred_protocols, [binary()]} + | {beast_mitigation, one_n_minus_one | zero_n | disabled} | {cacertfile, string()} | {cacerts, [public_key:der_encoded()]} | {cert, public_key:der_encoded()} @@ -55,6 +56,7 @@ | {keyfile, string()} | {log_alert, boolean()} | {next_protocols_advertised, [binary()]} + | {padding_check, boolean()} | {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)} | {password, string()} | {psk_identity, string()} @@ -65,6 +67,7 @@ | {sni_fun, fun()} | {sni_hosts, [{string(), ssl_opt()}]} | {user_lookup_fun, {fun(), any()}} + | {v2_hello_compatible, boolean()} | {verify, ssl:verify_type()} | {verify_fun, {fun(), any()}} | {versions, [atom()]}. @@ -101,12 +104,12 @@ listen(Opts) -> {reuseaddr, true}, {nodelay, true}])). listen_options() -> - [alpn_preferred_protocols, cacertfile, cacerts, cert, certfile, - ciphers, client_renegotiation, crl_cache, crl_check, depth, - dh, dhfile, fail_if_no_peer_cert, hibernate_after, honor_cipher_order, - key, keyfile, log_alert, next_protocols_advertised, partial_chain, - password, psk_identity, reuse_session, reuse_sessions, secure_renegotiate, - signature_algs, sni_fun, sni_hosts, user_lookup_fun, verify, verify_fun, versions + [alpn_preferred_protocols, beast_mitigation, cacertfile, cacerts, cert, certfile, + ciphers, client_renegotiation, crl_cache, crl_check, depth, dh, dhfile, + fail_if_no_peer_cert, hibernate_after, honor_cipher_order, key, keyfile, + log_alert, next_protocols_advertised, partial_chain, password, padding_check, + psk_identity, reuse_session, reuse_sessions, secure_renegotiate, signature_algs, + sni_fun, sni_hosts, user_lookup_fun, v2_hello_compatible, verify, verify_fun, versions |ranch_tcp:listen_options()]. -spec accept(ssl:sslsocket(), timeout()) |